Over the last two weeks we contained four major cyber incidents across mixed environments. The common thread was financially motivated actors abusing legitimate features like OAuth and mailbox rules. We share what worked in the field, the must‑do controls like phishing‑resistant MFA, and a one‑hour identity reset window you should enforce after compromise
Key Conclusions
- Financial motivation dominates recent threat activity.
- Legitimate features are frequently abused for malicious purposes (e.g., OAuth, mailbox rules, data export).
- It is important that clients ensure any third-party applications in use provide suitable audit capabilities, as lack of visibility can hinder detection and response to security incidents.
- Proactive threat hunt approach minimizes the damage that done by threat actors.
- After a compromise, when resetting an O365 account or Gsuite accounts, the account should be disabled for at least one hour.
- This is because identity and access changes can take up to approximately one hour to fully propagate across Microsoft services. During this propagation window, a threat actor may still be able to regain access if the account remains enabled.
Actionable Recommendations
- Enforce phishing-resistant Multi-Factor Authentication (MFA) for all users.
- Rotate passwords regularly and invalidate sessions after compromise.
- Audit and restrict third-party integrations and OAuth applications.
- Enable real-time alerts for sensitive actions and anomalous login patterns.
- Disable or restrict mass data export features and monitor for abnormal downloads.
- Review access to connected platforms and apply least privilege principles.
